August 10, 2018

Subscribe

Just when you thought spam was dead, it’s back and worse than ever

by John_A

(in)Secure is a weekly column that dives into the rapidly escalating topic of cybersecurity.

Emails promising millions of dollars from a Nigerian prince, to malicious attachments, and nefarious links. All of it falls under the banner of spam. An incredible 40 years have passed since the first email spam was sent out over the progenitor of the internet, the ARPANET, but it remains a threat today. In fact, 2018 is becoming the year of spam.

When all else fails, spam

Spam is making a comeback because other attack vectors aren’t working like they used to. Throughout the history of malware, hackers have discovered many methods of attacking end users and businesses, but a new attack is usually met with a response. Methods that were effective a few years ago, like drive-by downloads, aren’t getting the job done any more.

As cyber-security company F-Secure pointed out in its recent blog post, killing off the Adobe Flash plugin support in browsers has clamped down on many browser-based attacks. By removing that potential attack vector, exploit kits have become far less effective and therefore far less common. Combined with the ever evolving abilities of anti-malware software utilizing machine learning and behavioral tracking, spam’s relative success rate is creeping back up.

“We’ve reduced criminals to spam, one of the least effective methods of infection.”

“We’ve reduced criminals to spam, one of the least effective methods of infection,” F-Secure’s security advisor, Sean Sullivan said. “Anti-malware is containing nearly all commoditized, bulk threats. And honestly, I don’t see anything coming over the horizon that could lead to another gold rush, so criminals are stuck with spam.”

That’s despite the fact modern email clients are better equipped than ever to identify and quarantine spam to prevent its malicious intent from being realized.

Fighting with filters

Just last year Google announced brand new features for its Gmail service that helped it detect 99 percent of spam emails and swiftly dump them into the junk folder. It still faces the odd issue though, like users finding spam emails in their sent folder just a few months ago.

Other companies offer similar services with their email clients. Outlook has a “Junk” folder that automatically scans messages and provides manual controls for blocking or whitelisting certain email addresses and top-level-domains. Thunderbird puts the power in the hands of the users by offering a junk filter that it asks you to “train” by showing it what you consider to be junk mail. Popular free email services like EM Client use open source platforms like Apache SpamAssassin.

There’re also several third-party services that can be used to augment existing anti-spam efforts. Mailwasher and SpamSieve are two of the most popular, and though the best versions of them aren’t free, they provide intelligent filtering systems which do a great job of blocking most spam emails.

Despite all of these built-in and add-on options for filtering out junk emails, some are still slipping through. That, combined with the ease of sending spam, is helping it proliferate, and as more malware authors and distributors resort to spamming to make their nefarious gains, they invented new ways to trick both spam filters and people who think they know better.

New spam for a new age

Spam was originally named after the luncheon meat of the same name due to a Monty Python sketch where the word was chanted in an annoying, incessant fashion. But the comparison of a heavily processed product is just as apt today. Modern spam is often smarter and more convincing than you’d expect.

“Spam is becoming an increasingly successful attack vector, with click rates rising from 13.4% in the second half of 2017 to 14.2% in 2018,” said Adam Sheehan, Behavioral Science Lead at MWR InfoSecurity, told The Economic Times.

Spammers personalizing emails to make them seem to come from a legitimate source, or someone known to the recipient, is the most effective tactic, raising the chance of a click on a link or email attachment by 12 percent.

Other methods to increase spam’s efficacy include having a subject line that’s free from errors. That ups the chances of a successful attack by 4.5 percent. Phishing emails can be more successful if an emergency is implied, rather than explicitly stated.

“They are using links that are these crazy redirect loops, that are redirecting you from page to page.”

The requisite steps that the recipient must take to infect themselves with the content of spam emails are changing, too. Malicious email attachments now account for 23 percent of spam emails, as per F-Secure’s Päivi Tynninen. But a new wrinkle to that old attack vector is adding a password to the file which is provided in a second attachment. That means that automated detection tools may not be able to analyze the malicious file, as they can’t access it directly.

Modern spam emails frequently use malicious links. They make up 31 percent of spam emails according, to F-Secure. Those links will eventually lead the clicker to a malicious file download, often executing through some form of macro embedded in a document for Word, Powerpoint, or Excel. Even those links are changing. Where once the original link would send you straight to the malicious software, now your browser will jump through a few hoops first.

“Attackers are adding additional layers to avoid automatic analysis and researchers trying to intercept their potentially good infections and creating detections for those,” Tynninen said during a recent episode of the Security Sauna podcast. “They are using these links that are these crazy redirect loops that they are redirecting you from page to page, and after a couple to maybe seven different page redirections you get the final payload, which is only the downloader document with macros. ”

That number of redirects might seem excessive, but if researchers try to retrace the steps to provide better detection for such attacks, the attackers can take down just one of the redirect websites. That breaks the chain and makes investigation more difficult.

The biggest spam attack vector of them all? Tugging at the heart strings of email users. A full 46 percent of spam emails focus on some form of dating scam. These trick recipients into thinking someone has found their profile on a dating site and wants to chat or meet up.

Old advice still stands

While new methods of attack from spammers and scammers are always a little scary, spam remains as easy to avoid as it is to send.

Unless you specifically requested to receive a certain email attachment from a specific person – don’t open it. Better yet, don’t open anything and have your friend or work colleague send you the file in a more secure platform like a cloud storage service. Don’t click links in emails, either. Always go to the source. If you do have to click a link for whatever reason, check where it’s sending you first by hovering over the link. Chrome, Firefox, and Edge all showcase the raw link in the bottom-left of your screen when you do so. Make sure it’s not sending you somewhere unexpected.

Don’t click links in emails, either. Always go to the source.

F-Secure also highlights a number of brands that are commonly spoofed in spam emails. UPS, Amazon, FedEx, Apple, and Paypal are the companies most often faked, so be wary when receiving emails from those companies.

Above all else, take heart that the effort you put into digital security is paying off. Spam isn’t an effective foodstuff, and it’s not a great way to spread malware either — but when it’s all scammers have to work with, they’ll gladly scoop out another gelatinous spoonful. Don’t join them at the table.

Editors’ Recommendations

How A.I. can defeat malware that doesn’t even exist yet

New malware will crash your PC if you try to thwart its digital coin mining